Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiple Timestamp Aggregation in Reports: How to have a single report for a user with the timestamp for each login/logout session?

phillipmadm
Explorer
‎03-13-2017 09:55 AM

We are logging information from a network security device that has multiple fields of interest. LOGIN, LOGOUT, START, and DISCONNECT messages all have unique time stamps and messages associated with a user (but a unique id with each session). How can I have a single report for a user with the timestamp for LOGIN, LOGOUT per each session?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-14-2017 11:52 PM

@phillipmadm, looking at your sample events LOGOUT event in itself is complete as it also has the login details for example

  • Correlation Keys like - SessionId, User, Client_ip
  • And correlating fields like - Start_time, End_time, Duration

Also like you have mentioned so many other interesting fields are also present like LogoutMethod.

You can add LOGOUT to your base search to get only the logout event and then with override _time with Start_time and plot duration on the timechart. You can also consider using Timeline custom visualization to plot duration as Gantt Chart 

<Your Base Search> LOGOUT
| eval Start_time=strptime(Start_time,"%m/%d/%Y:%H:%M:%S")
| eval _time=Start_time
| timechart max(Duration) as MaxDuration by User

You can try various by clauses apart from User like Client_ip, SessionId and even composite key like 

 eval Key=User." (SessionID:".SessionId.")"

PS: I have performed _time override with Start_time from your log since LOGOUT event has Logout time in the _time event by default.

Finally, if you want to display all Login/Logout you can use values(Duration) and preferably stats instead of timechart. Please try this and let us know how it goes.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-14-2017 11:52 PM

@phillipmadm, looking at your sample events LOGOUT event in itself is complete as it also has the login details for example

  • Correlation Keys like - SessionId, User, Client_ip
  • And correlating fields like - Start_time, End_time, Duration

Also like you have mentioned so many other interesting fields are also present like LogoutMethod.

You can add LOGOUT to your base search to get only the logout event and then with override _time with Start_time and plot duration on the timechart. You can also consider using Timeline custom visualization to plot duration as Gantt Chart 

<Your Base Search> LOGOUT
| eval Start_time=strptime(Start_time,"%m/%d/%Y:%H:%M:%S")
| eval _time=Start_time
| timechart max(Duration) as MaxDuration by User

You can try various by clauses apart from User like Client_ip, SessionId and even composite key like 

 eval Key=User." (SessionID:".SessionId.")"

PS: I have performed _time override with Start_time from your log since LOGOUT event has Logout time in the _time event by default.

Finally, if you want to display all Login/Logout you can use values(Duration) and preferably stats instead of timechart. Please try this and let us know how it goes.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

phillipmadm
Explorer
‎06-15-2017 11:05 AM

Good to go 🙂

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-13-2017 10:45 AM

Do you have unique id per message or per session or do not have unique id for correlation at all? What kind of user information do you have? Can you add some sample mocked up data?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

phillipmadm
Explorer
‎03-14-2017 10:45 AM

Examples are below but the goal is to be able to report (per user) login time, logout time, session duration over multiple days. 🙂
LOGIN, LOGOUT, User, SessionId, Duration....are all extracted fields
Thank you

Example of a login event
Mar 10 18:35:35 03/10/2017: 18:34:57 ns 0-PPE-0 : SSLVPN LOGIN 17573462 0 : Context JoeSmith@x.x.x.x - SessionId: 43717- User JoeSmith - Client_ip x.x.x.x - Nat_ip "Mapped Ip" - Vserver x.x.x.x:443 - Browser_type "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.1439" - SSLVPN_client_type - Group(s) "N/A"

Example of a logout event
Mar 10 18:50:30 03/10/2017: 18:49:52 ns 0-PPE-0 : SSLVPN LOGOUT 17576185 0 : Context JoeSmith@x.x.x.x - SessionId: 43717- User JoeSmith - Client_ip x.x.x.x - Nat_ip "Mapped Ip" - Vserver x.x.x.x:443 - Start_time "03/10/2017:18:34:57 " - End_time "03/10/2017:18:49:52 " - Duration 00:14:55 - Http_resources_accessed 23 - NonHttp_services_accessed 0 - Total_TCP_connections 74 - Total_UDP_flows 0 - Total_policies_allowed 74 - Total_policies_denied 0 - Total_bytes_send 2170 - Total_bytes_recv 417916 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 159514 - Compression_ratio_send 0.00% - Compression_ratio_recv 61.83% - LogoutMethod "Explicit" - Group(s) "N/A"

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...